Solved: Re: Windows computers authentication failure after a restart or shutdo

mikeyasg · ‎04-06-2022

The native supplicant is configured for PEAP and MSCHAPV2. the authentication method is user or computer authentication. verify server identity is also checked and we use ISE self signed certificate. it authentication successfully at first but after a restart it fails. to make it successfull we must unplug and plug the cable or disable and enable network adapter. The RADIUS log in ISE shows 15039 Rejected per authorization profile. here below is the configuration on the switch. what did i miss?

The configuration on the switch

Global Config

aaa new-model
aaa group server radius RADIUS_GROUP
aaa authentication dot1x default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa authorization auth-proxy default group RADIUS_GROUP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group RADIUS_GROUP
aaa server radius dynamic-author
aaa session-id common

interface config

authentication event fail action next-method
authentication event server dead action reinitialize vlan 650
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

I have run the test command
test aaa group RADIUS_GROUP testuser test password new-model

and it returns User successfully authenticated.

MHM Cisco World · ‎04-06-2022

"Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only way to restart the authentication process is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event."

Solution is re-auth command,
try add it in one interface monitor interface&client and then apply to all other interface.

View solution in original post

MHM Cisco World · ‎04-06-2022

I think the issue that the Client not send EAP-Logoff are this client is Win10?

mikeyasg · ‎04-06-2022

Yes. Windows 10 version 21H2

MHM Cisco World · ‎04-06-2022

"Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only way to restart the authentication process is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event."

Solution is re-auth command,
try add it in one interface monitor interface&client and then apply to all other interface.

mikeyasg · ‎04-06-2022

can you share the command?

MHM Cisco World · ‎04-06-2022

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

Windows computers authentication failure after a restart or shutdown